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Abstract 

It is well-known (cf. K.-Pudlak[T5]) that a polynomial time algorithm 
finding tautologies hard for a propositional proof system P exists iff P is 
not optimal. Such an algorithm takes l'*^' and outputs a tautology of 
size at least k such that P is not p-bounded on the set of all r^'s. 

We consider two more general search problems involving finding a hard 
formula, Cert and Find, motivated by two hypothetical situations: that 
one can prove that NP 7^ coNP and that no optimal proof system exists. 
In Cert one is asked to find a witness that a given non-deterministic 
circuit with k inputs does not define TAUT n{0, 1}'' . In Find, given l'''' 
and a tautology a of size at most k'^" , one should output a size k tautology 
j3 that has no size k'^^ P-proof from substitution instances of a. 

We shall prove, assuming the existence of an exponentially hard one- 
way permutation, that Cert cannot be solved by a time 2*^'*^' algo- 
rithm. Using a stronger hypothesis about the proof complexity of Nisan- 
Wigderson generator we show that both problems Cert and Find are 
actually undefined for infinitely many k. The results are based on inter- 
preting the Nisan-Wigderson generator as a proof system. 

A propositional proof system in the sense of Cook and Reckhow jS^ is a 
polynomial time relation P{x, y) such that for a binary string r: 

r e TAUT iff Btt e {0, 1}*P(t, vr) 

where TAUT is the set of propositional tautologies (in DeMorgan language for 
the definiteness) . Any string tt for which P{t,tt) holds is called a P-proof of 
r. A proof system (tacitly propositional from now on) is p-bounded iff there 
exists a constant c > 1 such that the above holds even with the requirement that 
I ""I < \t\'^- Cook and Reckhow [8 noted that a p-bounded proof system exists 
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iff NP = coNP. Hence proving that no p-bounded proof system exists would 
imply NP ^ coNP and thus also P ^ NP. This fact elevated the investigation 
of lengths of proofs into a fundamental topic of mathematical logic approach to 
computational complexity. 

Strong lower bounds were proved for a variety of proof systems and several 
different methods for this purpose were invented. Examples of proof systems 
that appear to be outside of the scope of current methods are the so called Frege 
systems: the usual text-book propositional calculi based on a finite number of 
axioms schemes and inference rules (only quadratic lower bounds are known 
for them, cf.|10j). This apparent failure could cause an uninformed reader to 
dismiss the whole area of proof complexity. However, although we may not 
be near proving that NP ^ coNP, the lower bounds for weaker proof systems 
proved so far do have consequences interesting in their own right. For example, 
a single lower bound for a proof system P implies time lower bounds for a 
class Alg{P) of SAT algorithms associated with P and all commonly used SAT 
algorithms belong to such a class for some P for which we have an exponential 
lower bound (cf . [17] and references given there) . Another type of consequences 
can be found in bounded arithmetic: a lengths-of-proofs lower bound for P 
often implies the unprovability of a true H'j' sentence in a first-order theory Tp 
associated with P. These unprovability arguments do not use Godel's theorem 
and the sentences involved have typically a clear combinatorial meaning. 
And last but not least, any super-polynomial lower bound for P also implies 
that P ^ NP is consistent with Tp. We shall not survey these proof complexity 
topics in detail here and instead refer the reader to expositions in [HI [121 IHl ES] 
or in [m Chpt.27]. 

In this paper we are interested in the question how hard it is - to be mea- 
sured in terms of computational complexity here - to find tautologies hard (i.e. 
requiring long proofs) for a given proof system. Proposing plausible candidates 
for tautologies hard for Frege systems and for stronger proof systems turned 
out to be a quite delicate issue. The lack of a variety of good candidates is one 
of principal obstacles for proving lower bounds for strong systems. Of course, 
in principle one would be happy to accept a suggestion for such a hard tautol- 
ogy from a friendly oracle. However, the experience with known lower bound 
proofs shows that it is essential to have explicit formulas with a transparent 
combinatorial meaning. 

In particular, all first super-polynomial lower bounds for proof systems for 
which we have any such bounds were proved for some sequence of tautologies 
{Tk}k of size |rfe| > k and constructible in polynomial time (or even log space) 
from l^'^^. This type of sequences of hard tautologies has been considered in 
[TS] and [m Chpt.l4] and it exists for a proof system P iff P is not optimal, 
i.e. there exists a proof system Q that has a super-polynomial speed-up over P 
(w.r.t. lengths of proofs) on an infinite set of formulas. It is consistent with the 
present knowledge, and indeed most researchers seem to conjecture that, that 
no optimal proof system exist and hence that for each P a p-time constructible 
sequence of hard formulas exist. However, deriving the existence of hard formu- 
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las from the assumption of non-optimality is not very illuminating: it is a basic 
proof complexity result that P cannot admit polynomial size proofs of formu- 
las expressing the soundness of a proof system Q (these formulas are log space 
constructible) if Q has a super-polynomial speed-up over P on an infinite set of 
formulas (cf.[TTl Chpt.l4]). Hence, in a sense, deriving the existence of a poly- 
nomial time sequence of hard tautologies from the non-optimality assumption 
amounts just to restating the assumption in a different terminology. We refer 
the reader to Beyersdorff-Sadowskij^ for further information and up-to-date 
references. 

We shall consider in this paper two more general search problems in which 
the task includes a requirement to find a hard tautology. The two problems 
model in their ways two hypothetical situations: a situation when one can prove 
NP ^ coNP (i.e. super-polynomial lower bounds for all proof systems) and a 
situation when one can prove that no optimal proof system exists by having 
a uniform method how to construct from a given proof system a stronger one. 
These two tasks, Cert and Find, will be defined in Section [T] (in Section [7] we 
add one more search task Pair involving disjoint pairs of NP sets) . 

We will prove (using the hypothesis of the existence of a hard one-way permu- 
tation) that Cert cannot be solved by exponential time algorithms and (using 
a stronger hypothesis about the proof complexity of the Nisan-Wigderson gen- 
erator) that both Cert and Find actually cannot be solved at all on infinitely 
many input lengths. Our primary motivation for this research is to understand 
what kind of consequences do various - both proven and conjectural - statements 
about the proof complexity of the Nisan-Wigderson generator have. 

The paper is organized as follows. After the motivation and the definition of 
the search tasks Cert and Find in Section [T] we review some complexity theory 
in Section [2] and some proof complexity in Section [3l The hardness results are 
proved in Sections S] and El respectively (after a proof complexity interlude in 
Section O. The paper is concluded by Section [7] considering a related search 
task for disjoint pairs of sets and a few remarks in Section [H] 

We do assume only basic complexity theory and proof complexity (e.g. the 
well-known relation between reflection principles and simulations). But the 
reader may still benefit from understanding a wider proof complexity context. 
In particular, [15[ Chpt.27] overviews some fundamental problems of proof com- 
plexity and [m Chpts.29 and 30] surve}0 the theory proof complexity generators 
(and list relevant literature). 

1 The search tasks Cert and Find 

We are going to consider two search tasks asking us to find formulas with cer- 
tain properties (and in Section [7] we add one more). Both are more complex 

^One can read these chapters independently of the rest of the book. 
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than the mere task to construct hard tautologies for a given proof system that 
was discussed in the introduction. To motivate them we shall describe two 
thought situations in proof complexity; the search tasks are then abstract (and 
simplified) versions of those. 

First assume that you can prove (i.e. ZFC can) that NP ^ coNP and thus, 
in particular, super-polynomial lower bounds for all proof systems. For a proof 
system P and a constant c > 1 denote by LBp(c) the statement 

VlC'^Br [|t| > A: a t G TAUT A V7r(|7r| < |T|=)^P(r, tt)] 

formalizing a polynomial lower bound for P with degree c. 

It is easy to see that for any decent proof system (see Section [5] for a formal 
definition of decency), as long as we can prove some specific polynomial lower 
bound we can also prove its soundness. The decency assumption allows to 
extend a proof of a falsifiable formula ip to a proof of and further to a proof 
of any r, all in polynomial time. 

But by a simple application of Godel's theorem ZFC is not able to prove the 
soundness of all proof systems. This suggests that we should by proving lower 
bounds conditioned upon the assumption that P is indeed a Cook-Reckhow 
proof system. If P were not complete we do not need to bother with lower 
bounds for it, so the interesting clause of the Cook-Reckhow definition that is 
of interest here is the soundness and we are lead to implications: 

Refp ^ LBp(c) 

where Refp is a universal sentence (in the language L pv of Section ^ formal- 
izing that any formula with a P-proof must be a tautology. 

Now we simplify the situation bit more. Let D{x, y) be a circuit in k variables 
X = {xi, . . . , Xk) and i — k'^ variables y — (j/i, . . . , y^) which we interpret as the 
provability relation of a proof system restricted to formulas to size k and proofs 
of size at most £. This motivates the following search task Cert(c) defined for 
any constant c > 1: 

• input: l''^'-' and a size k'^ circuit D{x^y) in k variables x = (xi, . . . ,Xfc) 
and £ = k^ variables y = {yi, . . . ,ye) 

• required output: either a size k falsifiable formula ip such that D{ip,y) is 
satisfiable or a size k tautology r such that D{t, y) is unsatisfiable. 

The output of Cert{c) thus certifies that D is not a non-deterministic circuit 
(with input x and non-deterministic variables y) that accepts TAUT O {0, l}*^. 

The provability relation of a proof system restricted to size k formulas and 
size I proofs can be computed by circuits of size (k + In the formulation 

of the problem we have represented the 0(1) constant by c as well. In addition 
Cert ignores the uniformity of such circuits corresponding to a particular proof 
system (they can be constructed in log space from lW,lW). This is in line with 
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the prevailing approach in complexity theory to reduce uniform problems to non- 
uniform finite combinatorial problems. Finally note that in our simplification 
we are taking the reflection principle just for the proof lengths corresponding to 
the lower bound we should witness; this make sense due to the non-uniformity. 

The second search task we shall consider is motivated by another thought 
experiment. Assume that you can prove that no optimal proof system exists 
and, in fact, that you have a uniform construction that from a proof system P 
produces a stronger proof system Q{P) (i.e. not simulable by P). For definite- 
ness, assume that there is one oracle polynomial time machine that for all P 
defines Q{P) when having the oracle for P. Then we expect to be able to prove 

Refp RefQ(p) 

and, most importantly, that it is stronger 

Refp Vl^'^'^TrdTrl < r)^P(ref^(p),7r)] 

where refg^pj is a size fc'^(^) tautology formalizing the soundness of Q{P) w.r.t. 
all proof of size at most k (we assume for simplicity that a proof is always at 
least as long as the formula it proves so one parameter suffices). See a similar 
formula in (jl2p in the proof of Lemma 15.31 

Any decent proof system can simulate Q(P) if it can use refg^p-j as extra 
axioms (see Section [5|). In the following problem a represents a bit mor^ 
generally any extra axiom. 

Let P be a proof system and ci > cq > 1 be constants. Consider the 
following promise computational task Find(P, ci, cq): 

• input: 1^*^^ and a tautology a such that |a| < k'^° 

• required output: any size k tautology /3 that has no proof in proof system 
P -\- a, P augmented by a as an extra axiom schem^l, of size less than 
k^K 

The requirement that the size of /3 is exactly k is just for a technical convenience; 
we could allow any interval [A;^^^\ fc'^^^^] instead. 

2 Computational complexity preliminaries 

Let n — > TO = TO(n) be an injective function such that m{n) > n and let / : 
{0,1}* — J> {0,1}* be a Boolean function. The Nisan-Wigderson generator 
NWaj ■ {0,1}" — > {0,1}™ is defined using the notion of a design. A {d,£)- 
design on [n] is a set system A = {Ji C [n]}ig[m] on [n] — {l,...,n} such 
that: 

■^Really just a bit: for decent P adding a is equivalent to adding the reflection principles 
for P + a. 

^The proof system P + a will be defined in Section [5] 
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• \Ji\= a, for all i, 



• I J,; n Jj I < d, for all i ^ j- 

The j-th bit of 7VW^A,/(a;) is computed by ft : {0, 1}^ ^ {0, 1} from the ^-bit 
string x{Ji) :— Xj^ . . . Xj^, where 

Ji = {:h <■■■<](} 

and ft is the restriction of / to {0,1}^. In the future the parameter € will 
be determined by n and we shall denote the restriction / as well. Nisan and 
Wigderson[3J showed that there are such designs for a wide range of parameters 
n, m, (. and that one can construct them uniformly and feasibly. In particular, 
we can fix the parameters as follows: 

t := n^/^ and m := 2"' and d := log(TO) , (1) 

where 1/3 > (5 > is arbitrary. We shall thus assume that fixing n and d fixes 
the other parameters and also some set system An constructed from 1^"^ l*^™^ 
in time m*^'-^-' and with parameters meeting the requirements. In fact, we need 
that 

Ji is computable from i and 1*^"^ in polynomial time. (2) 
The design from [3T1 L.2.5] has this property. 

In our construction the function / will be NP n coNP. By this we mean that 
it is the characteristic function of a language in NP fl coNP. Hence / is defined 
by two NP predicates 

3yi\y\<\u\- AFo{u,y)) and 3y{\y\ < \u\' A Fi{u,y)) (3) 

with Fq and Fi polynomial-time relations and c a constant such that 

f{u)=a iff 3y{\y\ < \u\- A Fa{u,y)) (4) 

for a = 0, 1. Any string y witnessing the existential quantifier will be called a 
witness for f{u). 

We shall use results from [TB] and those do assume that / has unique wit- 
nesses, meaning that for each u there is exactly one witness for f{u). A natural 
source of NP n coNP functions with unique witnesses are hard bits of one-way 
permutations. That is, for a polynomial time (and intended to be one-way) 
permutation h : {0, 1}* — > {0, 1}* we have 

f{u) B{h(-^\u)) (5) 

where B{v) is a hard bit predicate for h. 

The hardness of one-way permutations is measured as follows. A polynomial 
time permutation h is defined to be e{£) one way with security parameter 
t{£) iff for all £ and any circuit D with £ inputs and of size at most t{£) it holds: 

Prob,^^„^,y[Dihiv)) ^ v] < e{£) . 
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Using the Goldreich-Levin theorem we may assume that such a permutation h 
has a hard bit function B{v). The details can be found in Goldreich f9]. 

Our construction needs to assume that / is hard in the sense of Nisan and 
Wigderson [3T]. They define / to be (e(£), 5'(£))-hard if for every £ and every 
circuit C with £ inputs and of size at most S{i) it holds: 

Prob^emviCiu) ^ f{u)] < 1/2 + e/2 . 

They define then the hardness of /, denoted Hf{£), to be the maximal S such 
that the function is (1/5, 5)-hard. This simplification makes sense when e has 
the rate about to^'^'-'^' as in Nisan and Wigderson [3T]. 

In the proof complexity situations studied in |16j the parameter S plays the 
main role, with e being primarily of the rate This corresponds to the 

fact that in applications of the original Nisan- Wigderson generators m is usu- 
ally exponentially large but for various purposes of proof complexity (especially 
lengths-of-proofs lower bounds) the best choice would be at the opposite end: 
m = n + 1. This lead in [IB] to keeping e and S separate and using the notion 
of the approximating hardness (defined there) in place of Hf{£). In this paper, 
however, we shall use only those results from 16, where m is exponentially large 
as in dl]) and thus using the measure Hf{£) suffices here. 

A one-way permutation h with a hard bit B is exponentially hard iff it 
is ' ' one-way with security parameter 2^ ' The hardness Hf{£) of / is 

then 2^ ' ' as well. Details of these constructions can be found in Goldreich [5]. 

We will use in Sections S] a [7] the hypothesis that an exponentially hard one- 
way permutation exists instead of the presumably weaker assumption that an 
NP n coNP function / with unique witnesses and with exponential hardness Hf 
exists. The only reason is that the former hypothesis is more familiar than the 
latter one. 

3 Proof complexity preliminaries 

Although the formulation of the search tasks Cert and Find may not suggests so 
explicitly this investigation resulted from a research program in proof complexity 
about the so called proof complexity generators and we shall use some ideas from 
this theory. 

We shall start with a proof complexity conjecture of RazborovpGj Con- 
jecture 2]. Take an arbitrary string b e {0,1}™ that is outside of the range 
Rng{NWA^j) of NWa^^J- The statement b ^ Rng{NW a^j) is a coNP prop- 
erty of b and can be expressed by a propositional formula t{NW Ar,j)b in the 
sense that 

T{NWA„j)b e TAUT iff & ^ Rng{NWA^j) ■ 

The construction of the propositional translation of the coNP statement is analo- 
gous to the usual proof of the NP-completeness of SAT. The details can be found 
in any of [6l [HI [23l [15] ) . Note that the size of the formulas is polynomial in 
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m. Razborov's conjecture says that these tautologies are hard for Extended 
Frege system EF for NWa^j defined as above, with m = 2""*"^' and based on 
an NP n coNP function / that is hard on average for P/poly. Pich [22 proved 
the conjecture for all proof systems admitting feasible interpolation in place of 
EF. 

In [12] we have considered a generalization of the conjecture. We shall recall 
only one part of that generalization dealing with exponentially large m; in the 
other parts m = n + 1 and they use the notion of approximating hardness of a 
function mentioned in the previous section. 

Tentative conjecture 3.1 (Part 3 of Statement (S) of [16] ) 

Assume f is an NP H coNP function with unique witnesses that has an ex- 
ponential Nisan-Wigderson hardness Hf{€) = 2^ ' 

Then there is S > such that for m{n) — 2" and for any infinite NP set 
R that has infinitely many elements whose length equals to m{n) for n > 1 it 
holds: 

Rng{NW A^j) r\ R ^ . 

Let us observe that Coni ecture 13.11 has a proof complexity corollary including 
Razborov's conjecture. 

Lemma 3.2 

Let P he any proof system. Assume that Conjecture \3.1\ holds and that 
the Nisan-Wigderson hardness Hf{£) of an NPCl coNP function f with unique 

witnesses is 2^ * ' . 

Then there exists S > such that for all c > I, the size of P -proofs of 
formulas t{NW A„,f)b for all large enough n and all b ^ Rng{NW A„,f) of size 
\b\ = m{n) is bigger than \t{NW A„.f)b\'' ■ 

Proof : 

Note that the set R of all b of lengths m(n) for n > 1 for which t{NW A„j)b 
has a P-proof of size at most \t{NW A„j)b\'^ is in NP. 

q.e.d. 

Now we recall (a part of) the consistency result from [16] concerning Conjec- 
ture 13.11 Its technical heart is a lower bound on complexity of functions solving 
a certain search task associated with NWa„j and that would, in principle, suf- 
fice for our purposes here. Using the consistency result itself, however, seems to 
decrease the number of technicalities one otherwise needs to discuss. 

We first recapitulate a few basic definitions. Cook [6] has defined a theory PV 
whose language L py has a name for every polynomial-time algorithm obtained 
from a few basic algorithms by the composition and by the limited recursion 
on notation, following Cobham's [5] characterization of polynomial time. The 
details of the definition of Lpy can be found in [6l[Tl] but are not important here. 
In fact, neither is the theory PV itself as we shall work with the true universal 
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first-order theory of N in the language Lpv- We shall denote this theory Tpy, 
as in [16]. Note that Tpy contains formulas expressing the soundness of all 
proof systems. 

Let / be an NP n coNP function defined as in Let us abbreviate by 
G{'w, z, x,y) the open Lpv formula 

(z, = 0AFo(u;(J,),2/)) V(z, = 1 A J,), y)) (6) 

where Jx is from the set system A„ (polynomial time definable from and 
x) and Fq, Fx are from ([3]). 

We do not have a symbol in Lpv for the function on {0, 1}* computed for 
n > 1 on {0,1}" by NW a„j as it is not a polynomial time function, and 
the function has to be defined. One possible formalization of the statement 
NW Anji^) — ^ for \'w\ = n and \z\ = m is then 

Mx ^[m]3y{\y\<t) G{w,z,x,y) (7) 

with c from (jS]). Now we are ready to state the result from [16] we shall need. 

Theorem 3.3 (Krajfcek[T6t Thm.4.2(part 3)]) 

Assume f is an NPHcoNP function with unique witnesses having the Nisan- 
Wigderson hardness Hf{£) at least 2^ ' ' . 

Then there is S > such that for any NP set R that has infinitely many 
elements whose length equals to m{n) for n > 1 and defined by Lpv formula 
3v{\v\ < \z\'^)Ro{z,v), with Rq open, theory Tpv does not prove the universal 
closure of the formula 

A ^ B 

where A is the formula with variables v, w, z, n, m, I 

n = |w| A TO = |z| A TO = 2"' A ^ = n^'^ A \v\ < m'^ A Ro{z, v) 
and B is the formula 

3a;e HVydyl <n ^G[w,z,x,y) . 
This statement is in [TB^ derived from a bit finer model-theoretic result. 

4 The hardness of task Cert 

The argument we shall use to derive the hardness of Cert applies to a more 
general situation which we describe now. 

By an (NP n coNP)/poly algorithm we shall mean two polynomial time 
predicates ^0(2^7 2/i z) and ^i(x, y, z) and a constant c > 1 similarly as in ([3]) but 
now with an extra argument z for the non-uniform advice, and a sequence of 
advice strings {wk\k such that |wfe| < k'^ (w.l.o.g. we use constant c also in the 
bound to the length of advice strings). We shall assume that 

Vx, z{\z\ < \xn [3y{\y\ < \xnFo{x, y, z)] ® [3y{\y\ < \xnF,{x, y, z)] (8) 
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is valid where ® is the exclusive disjunction. Thus an (NP n coNP) / poly algo- 
rithm is an NP n coNP set of pairs (x, z) of appropriate lengths augmented by a 
sequence of advice strings substituted for z. In our situation it is more natural 
to talk about algorithms than sets as we shall be looking for " errors they make" . 
We shall denote such an algorithm {T, {u>fc}fe) where T is the triple {Fg, Fi,c) 
from ©. 

For L a language let us denote by Lk the truth table of the characteristic 
function of L on {0, 1}''. If L G NE n coNE then the set of such strings 
{Lk I fc > 1} is in NP and can be defined by an Lpv formula as 

zeR^ iff 3v{\v\<\zf)R^{z,v) (9) 

with Rq an open formula. Any v witnessing the existential quantifier for z will 
be called a witness for z e R^ . Note that TAUT e NE n coNE. 

For a language L e NE n coNE and a triple 7^ as in ([8]) define the search 
task Err(L, J^) as follows: 

• input: l^'^^ string Lk and a witness v for E R^, and a string w such 
that \w\ < k"^ 

• required output: a string x G {0, l}*^ such that J- using w as an advice 
string makes an error on x: 

V2/(|y| < \xn [{xeLkA^Fi{x,y,w))VixiLkA^Fo{x,y,w))] (10) 

Theorem 4.1 Assume that an exponentially hard one-way permutation exists. 
Let L be a language such that L G NE n coNE. 

Then there exists a triple T as in such that no deterministic polynomial 
time algorithm can solve Err(L, J-) on all inputs for all sufficiently large lengths 
k. 

Proof : 

Assume that language L satisfies the hypothesis of the theorem and let J- be 
any triple as in . Assume that A is a. deterministic polynomial time algorithm 
that attempts to solve Err{L,T) on all inputs for all k> ko, for some fco > 1. 

We are going to define a universal Lpv sentence 

that is true iff A solves Err{L. !F) for all inputs for all k > ko. 
The sentence ^L,j=',A,ka is the universal closure of: 

C ^ D 

where C is the formula 

l^l = 2*^ A \v\ < \zf ARI^{z,v) Ak > ko A \w\ < k'' A x ^ A{1^'''> , z , v , w) 
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with A represented by an Lpv function symbol, and D is the formula 

\x\^k A yy{\y\ < e z A ^Fi{x,y,w)) V (x ^ z A ^Fo{x,y,w))] . 

The following should be obvious: 

Claim 1: Algorithm A solves Err[L,J-) for all inputs for all k > ko iff the 
sentence '^L,j^,A.ko true. 

We are going now to define a specific (NP n coNP)/poly triple J" as in ([5]) 
such that 'i^L,j^,A,ko will be false for all L G NE n coNE, all polynomial time 
algorithms A and all fco ^ 1- 

Let h be an exponentially hard one-way permutation with a hard bit B. 
Hence the function / from Q has the exponential hardness Hf{i) — 2^^'^*^'. 
The existence of such h and B is guaranteed by the hypothesis of the theorem. 

Take ^ > provided by Theorem 13.31 and put k := . Using NWAr,J '■ 
{0, 1}" ^ {0, 1}™ = {0, define an (NP n coNP)/poly triple T = (i^o, Fi,c) 
as n © as follows: put c := 5'^ and for x G {0, 1}'=, y G {0, 1}" = {0, w 
of size \z\ = n and a = 0, 1 define: 

Fa{x, y, w) := = J,) A = a] . (11) 

In other words, on input x the algorithm computes the x-th bit of NWa„j{w). 

Claim 2: For no L £ NEC] coNE, no polynomial time algorithm A and no 
ko > 1 is the sentence l.j^.AM tfue. 

To see this note that by substituting term A{1^''\ z , v , w) iov x in C D 
and quantifying it existentially 3x{x e [m]) allows to deduce from '^L,j^,A,ko 
the universal closure of A — > i? from Theorem 13.31 Hence, by that theorem, 

,F,A,ko cannot be true. 

Claims 1 and 2 imply the theorem. 

q.e.d. 

We remark that the argument can be actually extended to rule out a larger 
class of algorithms A: the so called Student - Teacher interactive computations 
of HnHH] (see also [IT]). 

Let (J^, {wk\k) be as above. Define circuits Dk{x, y) to be (some canonical) 
circuits with k inputs x and k'^ inputs y that outputs 1 iff Fi{x,y,Wk) holds. 
We can choose c > 1 large enough so that has size at most fc^ . 

Given a time 2'-'^'''> algorithm can compute the string TAUTj, (as well 
as the witness for TAUT^ G j^taut J■Qq■^^[Yed in the general formulation of the 
theorem). Such an algorithm is then polynomial in the size of TAUT^. If r 
is a solution to Cert(c) on input Dk then either r e TAUT^ and Vy(|?/| < 
k'^)^Fi{T,y,Wk) or r ^ TAUTfe and Dk{T,y) is satisfiable, in which case Tpv 
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implies that \/y{\y\ < k^)^Fo{T,y,Wk)- In other words, an algorithm solving 
Cert(c) solves Err{TAUT, T) too. This yields the following statement as a 
corollary to Theorem 14.11 

Corollary 4.2 Assume that an exponentially hard one-way permutation exists. 
There there is c > 1 such that no deterministic time 2^'^^^ algorithm can solve 
Cert(c) on all lengths fc > 1. 

5 Proof systems with advice and with extra ax- 
ioms 

The task Find was formulated using the provability in a proof system and in this 
section we develop a technical tool allowing us to move from (NP n coNP)/poly 
algorithms to proof systems. We shall recall first the notion of a proof system 
with advice as introduced by Cook-K.jT, Def.6.1]. It is defined as the ordinary 
Cook-Reckhow proof system (cf.the introduction) except that the binary rela- 
tion y) is decidable in polynomial time using an advice string that depends 
only on the length of x (the formula). We say that the advice is polynomial iff 
its length is la;!*^*-^^. This concept has some interesting properties; for example, 
in the classes of these proof systems - with varying bounds on the size of advice 
strings - there exists an optimal one. We refer the reader to [71 Sec. 6] and to 
subsequent [TJ |^ |3] for further information. 

Our aim in this section is to link proof systems with polynomial advice with 
proof systems with extra axioms, as defined below. A sequence of formulas 
{oik\k will be called p-bounded iff \ak\ < fc'^^^^ for all k. 

Definition 5.1 Let P(x,y) be an ordinary Cook-Reckhow proof system. 

1. For a tautology a the proof system P + a is defined as follows: 

a string it is a [P-\-a)-proof of formula t iff t: is a P-proof of a disjunction 
of the form 

V-a, V r 

i 

where a[ are arbitrary substitution instances of a obtained by substituting 
constants and variables for variables. 

2. For a p-bounded sequence {oLk\k of tautologies define a string tt to be an 
{P + {a}~}k) -proof of formula r iff it is a {P + ak)-proof of t for fc = |r|. 

We allow only substitutions of constants and variables in instances a[ in part 1 
as that makes sense for all proof systems (e.g. we do not have to discuss various 
limitations on depth for constant depth Frege systems) and it suffices here. 
Systems {P + {ak}k) are not meant to genuinely formalize the informal notion 
of proof systems with extra axioms; such systems should not pose restrictions 
on which extra axioms can be used in proofs of which formulas. We use them 
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here only as a technical vehicle allowing us to move from proof systems with 
advice to ordinary proof systems. 

Note that while P+a is a Cook- Reckhow proof system, P+{ak}k is generally 
not. The following lemma is obvious as we can use the sequence {ak}k as advice 
strings to recognize (P + {ak}k) - proofs. 

Lemma 5.2 Let P be a Cook- Reckhow proof system. For every p-bounded se- 
quence {ak}k of tautologies P+ {ak}k is a proof system with polynomial advice 
in the sense of Cook-K.j^. 

In Section[T]we used informally the notion of a decent proof system, meaning 
a proof system that can perform efficiently a few simple manipulations with 
proofs. We shall use the formalization of this notion from jlTl Sec. 2]. 

In the following satfe(M, a;, u) are formulas for fc > 1 and suitable r — k'-'^^^ 
with u = . . . , Ufc), X = (xi, . . . , Zfe) and v — (wi, . . . , Ur) such that for all 
a, (/? G {0, 1}'' it holds that: 

• satfe(a, u) e TAUT iff a is a truth assignment satisfying formula (p. 

The extra variables v are used to compute the truth value, as in the NP- 
completeness of SAT. 

A proof system (ordinary or with advice) P is decent iff the following tasks 
can be performed by polynomial time algorithm^: 

Dl From a P-proof n of formula ijjix) and a truth assignment a to variables 
X construct a P-proof of ip(a). 

D2 Given a true sentence ip (i.e. no variables) construct its P-proof. 

D3 Given P-proofs tti of ip and tt2 oi ^ rj construct a proof of rj. 

D4 Given a formula </?(ui, . . . , Un) and a P-proof of formula sati:(u, Lp, v) with 
variables u, v construct a P-proof of tp. 

Conditions Dl-3 are easy to verify for many of the usual proof systems (e.g. 
Frege systems mentioned in the introduction or resolution). The algorithm for 
condition D4 is defined by induction on the number of connectives in ip, cf. [Hi 
Chpt.9]. 

Lemma 5.3 Let Q be a proof system with polynomial advice and P a decent 
Cook-Reckhow proof system. Then for every constant c > 1 there exists a p- 
bounded sequence {ak}k of tautologies and d>l such that: 

Any tautology r having a Q-proof of size < \t\'^ has an (P + {ak}k)-P^oof of 
size < Irl'^. 

*Polynomially bounded functions would suffice for us here but such a weakening would not 
put more of the usual proof systems into the class and so we just stick with the definition 
from [13. 
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Proof : 

Assume that Q uses polynomial size advice string Wk for formulas of size k. 
For fc > 1 denote by proVg {x,y,t,s) a prepositional formula such that: 

• provg has k atoms x = {xi, . . . ,Xk) for bits of a formula, k^ atoms y = 
(2/1 , . . . , j/fcc ) for bits of a Q-proof, k^ atoms t — {ti, . . . ,tkc) for bits of an 
advice and fc"^'^) atoms s = (si, . . . , Sf^oat ) for bits of the computation of 
the truth value of Q{x, y) with advice t, 

• For size k formula (p and a k'^ size strings tt and w: provg [ip, n, w, s) £ SAT 
iff Q{ip,Tr) with advice w is true. 

Then take for ak the formula with variables x,y,z,s,v 

provQ {x,y,t/wk,s) satk{x,z,v) (12) 

where Wk is the string used by Q for size k formulas. The formula expresses the 
soundness of Q and hence it is a tautology. Its total size is 

Let (fi he a, size k formula with variables among z = {zi, . . . , Zk) and having 
a size < fc° Q-proof tt. Let e be bits of the computation of (5(</?, tt) with advice 

Wk- 

Take the following substitution instance of ak- 

provg if , IT, Wk,e) satk{<p,z,v) (13) 

Claim: for some d > 1 depending only on c > 1 and P the formula ip has a 
{P + ak)-proof of size < k'^. 

We shall use the decency of P. By the choice of tt and e the sentence 
prov Q {ip,TT,Wk, e) is true and hence has, by D2, a size fc*^*^'^) P-proof. Then, 
using D3, use modus ponens to derive in size k'-^^'^^ the formula 

satk{v>,z,v) . 

D4 then allows to derive in P the formula (p, in size k'^^^h The total size of the 
P-proof is fcO^'^). 

q.e.d. 

Note that we have not used the decency condition Dl explicitly; it's role is 
replaced here by the definition of the system P + ak which takes as axioms all 
substitution instances of ak- 

Formulas ak depend not only on k and Wk but also on the bound k'^ to the 
length of y. This is the reason why we cannot simply say that EF + {ak}k 
simulates P. 
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6 The undefinability of tasks Cert and Find 



We will need the following notion. For a complexity class X and a language 
L define the property that L is infinitely often in X, denoted L £i,o. X, iff 
there exists L' € X such that 

Ln{0,l}'^' = i'n{0,l}'= 

for infinitely many lengths k. Recall the definition of the class (NP n coNP)/poly 
at the beginning of Sectional 

The following consequence of Conjecture 13.11 was noted at the end of [151 
Sec. 30. 2] and it uses an idea linking the output/input ratio of proof complexity 
generators with the unprovability of circuit lower bounds due to Razborov [24] , 
quite similar to the reasoning in Razborov- Rudich [27] . 

Lemma 6.1 

Assume that Conjecture \S.1\ holds and that an exponentially hard one-way 
permutation exists. Then for every L G NE n coNE: 

L e^.o. {NPn coNP)/poly . 

In particular, TAUT Gi.o. NP/poly. 

Proof : 

Take S > from Conjecture 13.11 Put k := and think of a string b G 
{0, 1}™ as of the truth-table of the characteristic function of the language L on 
inputs of length k; denote it Lj, as in Section [H 

For any language L in NE n coNE the set of strings {Lj. | A; > 1} is in NP: 
the NP witness can collect all 2*^ NE witnesses for each variable setting - this 
will have size 2'^*^'^^ - and check their validity. 

In particular, if some L G NE H coNE would determine the truth-tables Lk 
for k = such that all but finitely many lie outside the range of NWa^j we 
would get a contradiction with Conjecture [ST] Hence we get: 

Claim: For infinitely many n, for k = and m = 2*^; 

Lk G {0,iy^nRng{NWA„j) ■ 

For Lk G Rng{NWA„.f) let a G {0, 1}" be such that NWA„j{a) = Lk- Then 
computing L on i E {0, 1}*^ amounts to computing / on a{Ji). But by the 
requirement ^ posed on A^ the set a{Ji) can be computed from i and a (taken 
as the advice string) in time polynomial in n and / is an NP n coNP function. 

q.e.d. 

This lemma has an immediate consequence for problem Cert. 
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Corollary 6.2 Assume that Conjecture \3.1\ holds and that an exponentially 
hard one-way permutation exists. 

Then for some c > 1 the task Cert(c) has no solution for infinitely many 
lengths k >1. 

We shall derive the same consequence for the task Find using the results of 
Section [51 For a triple J-" as in ([5]) define a proof system with polynomial advice 
Q{x,y) by: 

• either < |w| < \x\'^ A Fi{x, y, w), 

• or w is the empty word and y is a Frege proof of x, 

thinking of w as the advice. Now let {wk}k such that \wk\ < k'^ he a, sequence 
of advice words defining a proof system with advice Q (there exists at least one 
such: the sequence of empty strings). 

Let P be any decent Cook-Reckhow proof system and let formulas ak and 
constant d > 1 be those provided by Lemma 15.31 for c from J^. Assume cq > 1 
is such that |afe| < k'^° and assume also w.l.o.g. that d> cq. 

Consider the task Find{P,co,d). A solution for input l*^*^^ and ak is a size 
k tautology /3 and by the choice of co, d it must be that 

yyi\y\<kn -Fi(/3,y,«;fe) . 

But Conjecture 13.11 implies analogously as above that for the triple com- 
ing from NWA„.f there will be infinitely many lengths A: > 1 and strings Wk 
for which ak is tautology but no such (3 exists. Hence we have the following 
statement. 

Theorem 6.3 Assume that Conjecture \3. 1\ holds and that an exponentially hard 
one-way permutation exists. 

Then for all decent Cook-Reckhow proof systems P there are constants ci > 
Co > 1 such that the task Find(P, co, Ci) has no solution for infinitely many 
lengths k >1. 

7 Disjoint NP pairs 

Let {U,V) and {A,B) be two pairs of disjoint subsets of {0, 1}*. A reduction 
of {A, B) to [U, V) is a function / : {0, 1}* {0, 1}* such that for all u: 

u e A ^ f{u) eU A ueB ^ f{u) e V . 

It is (non-uniform) p-reduction if / is (non-uniform) p-time. 

Disjoint NP pairs appear quite naturally in several places of proof complex- 
ity. Most notably, the reflection principle for a proof system just asserts that 
two NP sets (that of formulas with bounded size proofs and of falsifiable formu- 
las) are disjoint. A particularly elegant form of this observation was found by 
Razborov [25j in the notion of the canonical pair of a proof system. Shadowing 



16 



the relation of the provability of reflection principles to simulations, a similar 
one exists between the provability of disjointness of such pairs and simulations. 
We refer the reader to (33] for more background. 

Given two pairs of disjoint sets {U, V) and {A, B) and a constant c > 1 
consider the search task Pair^'y (c): 

• input: l^*"'^ and a circuit C with k inputs, several outputs and of size at 
most fc^ 

• required output; a string u G {0, 1}'"' such that 

ueAh f{u) iU or ue B A f(u) ^ V . 

In other words, the output string u certifies that circuit C is not a reduction of 
{A,B) to {U,V) on {0,1}^ 

Take a triple 7^ as in ([8]) and define U and V to be the sets of pairs {x, z) 
such that \z\ < |a;|'^ and 3y{\y\ < \x\'')Fo{x,y, z) or 3y{\y\ < \x\'^)Fi{x,y, z), 
respectively. 

For a disjoint pair A, B of sets such that A G NE n coNE take for language 
L on {0, 1}'^ simply A. For w of size < fc"^ consider circuit that takes size k 
input X and outputs the pair {x,w); note that |C^| < k'^^^ for k >> 0. Then a 
solution to Pairpy{c+l) for input 1^^^ and C^^ is also a solution to Err{L, T). 
Hence Theorem 14. II implies the following statement. 

Theorem 7.1 Assume that an exponentially hard one-way permutation exists. 

Then there are two disjoint NP sets U, V and c > 1 such that for any pair 
A, B of disjoint sets such that A G NECi coNE the task Pair^'y (c) is not solvable 
by a deterministic time 2^^^'^ algorithm. 

The reader familiar with the canonical pairs of proof systems mentioned 
earlier may note that these sets are in £^ C NE n coNE and thus the theorem 
applies to them. 

8 Concluding remarks 

The role of Conjecture 13.11 is rather ambivalent: it implies that NP ^ coNP 
(Lemma 133) but also that TAUT ^i.o. NP/poly (Lemma EH]). This is caused 
by the dual role of the Nisan-Wigderson generator; it is a source of hard tau- 
tologies but also a strong proof system. The reader should consider, before 
dismissing Coni ecture 13 . 1 1 because of Lemma 16. 11 how little contemporary com- 
plexity theory understands about the power of non-uniform advice. 

It would be interesting to have a variety of candidate combinatorial con- 
structions Q{P) of a proof system stronger than P, as discussed in Section [TJ 
At present only the construction of iP, the implicit P, from [13 applies to all 
proof systems and it is consistent with the present knowledge that it indeed 
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yields stronger proof systems. An indirect plausible construction of Q{P) may 
use the relation between proof systems and first-order theories: take theory Tp 
corresponding to P, extend Tp by Con{Tp) (or in some other Godelian fashion) 
getting S, and then take for Q{P) the proof system simulating S (cf.[THl E] 
about Tp etc.). But it is hardly combinatorially transparent. 
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